DeepSec 2020 Talk: Old Pareto had a Chart: How to achieve 80% of Threat Modelling Benefits with 20% of the Efforts – Irene Michlin

Sanna/ November 18, 2020/ Conference

The earlier in the lifecycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. However, it is often perceived by the organisations as too expensive to introduce, or too slow to fit modern lifecycles, be it Agile, Lean, or DevOps. This talk will show how to fit threat modelling in fast-paced software development, without requiring every developer to become an expert. The outcomes should be immediately applicable, hopefully empowering you to try it at work the day after the conference. We asked Irene a few more questions about his talk. Please tell us the top 5 facts about your talk. Based on my experience introducing threat modeling

Read More

DeepSec Keynote: DevSecBioLawOps and the current State of Information Security

René Pfeiffer/ November 13, 2020/ Conference

Technology is evolving. This is especially true for computer science and the related information technology branch. When everything is outdated after a couple of months, the wind of change turns into a storm. It also affects the way we work, processes which enable us to get work done, and changes perspectives how we see the world, code, and its applications. Dev, DevOps, and DevSecOps is a good example how these changes look like at the top of the iceberg. Subjectively information security is always a few steps behind the bleeding edge. The word „bleeding“ is a good indication of why this is the case. However, security professionals cannot turn back time and ignore the way the world works. New technology will always get pushed into all areas of our lives until its creators realise

Read More

Press Release: Presenting new Ways in Information Security

Sanna/ November 11, 2020/ Conference

Like every year, DeepSec and DeepINTEL get to the bottom of the current state of information security. So far, 2020 has shown that surprises and critical events are always to be expected. Information security still knows no break. On the contrary: weak points in software, hardware, legislature and infrastructure are a permanent threat to digital information. So that those affected still have better chances against constant attacks, the DeepSec and DeepINTEL conferences will take place this year completely digitally via the Internet. Security can only be achieved through joint efforts. Therefore, this November, as every year, there will be an exchange between experts, users, software developers, administrators and those responsible! Solving problems instead of postponing them Hardly any other area is constantly inventing new terms like information technology. Unfortunately, misunderstandings and obscuring their meaning

Read More

Press Release: IT Security Sabotage threatens the domestic Economy

Sanna/ November 10, 2020/ Conference, Discussion, Press

Effective end-to-end encryption is a critical component in everyday and business life. Over 300 years ago, cryptanalysis, i.e. the method for decrypting secret codes, had its heyday in Europe. In so-called black chambers or black cabinets (also known as cabinet noir) in post offices all letters from certain people were secretly opened, viewed, copied and closed again. The letters intercepted in this way were then delivered. The purpose was to find dangerous or harmful news for the regents of the time. The most active and efficient chamber in Europe was the Secret Cabinet Chancellery in Vienna. This early form of wiretapping was only ended in the 19th century. And this scenario of the imperial and royal courts is now facing all European companies and individuals. End-to-end encryption is to be provided with back doors

Read More

DeepSec 2020 Talk: TaintSpot: Practical Taint Analysis and Exploit Generation for Java – Dr. – Ing. Mohammadreza Ashouri

Sanna/ November 2, 2020/ Conference

“In this talk I will introduce a scalable and practical security analysis and automatic exploit generation approach, which is called TaintSpot. It works based on an optimized hybrid taint analysis technique that combines static and dynamic vulnerability analysis. TaintSpot generates concrete exploits based on concolic testing for programs written for the Java Virtual Machine (JVM) ecosystem.TaintSpot is specially designed for operating on large-scale proprietary executable binaries with multiple external dependencies. TaintSpot is under development system; for now, it targets JVM binaries, but I plan to extend it to android applications.” We asked Mohammadreza a few more questions about his talk. Please tell us the top 5 facts about your talk. Static and dynamic taint analysis have various advantages and disadvantages; I consider consolidating the best of these techniques to improve the effectiveness and scalability

Read More

DeepSec2020 Talk: What’s Up Doc? – Self Learning Sandboxes to Defeat Modern Malwares Using RSA: Rapid Static Analysis – Shyam Sundar Ramaswami

Sanna/ October 30, 2020/ Conference

“Catch me if you can!” is the right phrase to describe today’s malware genre. Malwares have become more stealthy, deadly and authors have become more wiser too. What if sandboxes started performing rapid static analysis on malware files and passed on the metadata to spin a sandbox environment based on malware attributes and the malware does not evade? Well, the talk deals with about how to do RSA (Rapid Static Analysis, i coined it), pass on the attributes and how we defeat modern malwares by dynamically spinning sandboxes. RSA embedded in “H.E.L.E.N” and “Dummy” and how we extracted the real IOC from Ryuk forms the rest of the talk and story! The talk also covers how these key “attributes” that are extracted are used for ML, how we build bipartite graphs, build instruction based

Read More

DeepSec 2020 Talk: “I Told You So!” – Musings About A Blameless Security Culture – Tim Berghoff, Hauke Gierow

Sanna/ October 29, 2020/ Conference

The concept of a blameless culture is familiar to agile software development teams the world over. Going blameless has lots of merits, yet in many organizations and management teams true blamelessness is far from being the norm. This is especially true for the security sector, where the thinking is perhaps even more linear than elsewhere in an organization. This way of thinking is not necessarily bad, but not always helpful. On the other hand, sugarcoating any shortcoming will not help things along either. In truth, the security industry is still facing a lot of work when it comes to dealing with people. This talk will address and explore some of the fundamental problems of corporate security culture and why it keeps companies from moving forward. We asked Tim and Hauke a few more questions

Read More

DeepSec 2020 Talk: No IT Security Without Free Software – Max Mehl

Sanna/ October 28, 2020/ Conference

IT security is one of the most challenging global issues of recent years. But apart from the establishment of countless “cyber security” authorities, politics doesn’t seem to come up with something substantial. However, Free Software can be the solution to many pressing security problems. In this session, we will look at pros and cons and use concrete examples to illustrate why security and openness are not contradictory. For security professionals, the growing complexity of today’s digital world is no big surprise. But decision-makers are often overwhelmed by these new challenges and the uncertainties they entail. As a result, many fall for cheap selling arguments for black-boxed solutions and lose sight of a general strategy. We don’t know the exact security threats in five or ten years, but it is obvious that nobody can face

Read More

DeepSec2020 Talk: Pivoting – As an Attack Weapon – Filipi Pires

Sanna/ October 27, 2020/ Conference

Demonstrating an exploit in a container environment (three dockers) across three different networks, I will demonstrate different pivot, vulnerability exploit, and privilege escalation techniques on all machines using Alpine linux, Gogs app, and other Linux platforms using Pentest methodologies such as recon, enumeration, exploitation, post exploitation. By the end of this presentation everyone will be able to see different ways that exist in working with a single form of pivot and how to overcome different obstacles in different networks within this “new” environment called Docker. We asked Filipi a few more questions about his talk. Please tell us the top 5 facts about your talk. During this presentation, we are looking at some important facts such as: Observability in different environment, vulnerability exploit, use of privilege escalation techniques, some misconfigurations or maybe no good

Read More

DeepSec 2020 Talk: Journey Into Iranian Cyber Espionage – Chris Kubecka

Sanna/ October 26, 2020/ Conference

Welcome to the new Cold War in the Middle East. In 2012, Iran’s first Shamoon attacks almost crashed every world economy, nearly bringing the world to its knees. Since then, the game of spy vs. spy has intensified. Join Chris on a 2.5 year Iranian espionage campaign attempting to recruit her for the most innocent of jobs; teaching critical infrastructure hacking with a focus on nuclear facilities. A journey of old school espionage with a cyber twist. Bribery, sockpuppets, recruitment handlers, propaganda VVIP luxury trip mixed with a little IOT camera revenge. We asked Chris a few more questions about his talk. Please tell us the top 5 facts about your talk. Governments friendly, friendemy and enemy actively recruit for cyber offensive talent Finding the correct place to report active espionage and illegal bribery

Read More

DeepSec 2020 Talk: The Great Hotel Hack: Adventures In Attacking The Hospitality Industry – Etizaz Mohsin

Sanna/ October 23, 2020/ Conference

Have you ever wondered if your presence might be exposed to an unknown entity even when you are promised full security and discretion at a hotel? Well, it would be scary to know that the hospitality industry is a prime target nowadays for cyber threats as hotels offer many opportunities for hackers and other cybercriminals to target them and therefore resulting in data breaches. Not just important credit card details are a prime reason, but also an overload of guest data, including emails, passport details, home addresses and more. Marriot International where 500 million guests’ private information was compromised is one of the best examples. Besides data compromise, surgical strikes have been conducted by threat actors against targeting guests at luxury hotels in Asia and the United States. The advanced persistent threat campaign called

Read More

DeepSec2020 Talk: Faulting Hardware from Software – Daniel Gruss

Sanna/ October 22, 2020/ Conference

Fault attacks induce incorrect behavior into a system, enabling the compromise of the entire system and the disclosure of confidential data. Traditionally, fault attacks required hardware equipment and local access. In the past five years multiple fault attacks have been discovered that do not require local access, as they can be mounted from software. We will discuss the Rowhammer attack and how it can subvert a system. We then show that a new primitive, Plundervolt, can similarly lead to a system compromise and information disclosure. We asked Daniel a few more questions about his talk. Please tell us the top 5 facts about your talk. Software-based fault attacks, like Rowhammer, enables unprivileged attackers to manipulate hardware Hardware flaws can lead to privilege escalation and a full system compromise Plundervolt is another fault attack we

Read More

DeepSec Press Release: DeepSec and DeepINTEL 2020 as a hybrid conference. IT security in unusual times – events enable virtual access.

Sanna/ October 21, 2020/ Conference, DeepIntel

There’s nothing like “business as usual” in information security. Vulnerabilities in software, malware, campaigns to attack companies and organizations as well as defending your own infrastructure know no break. In recent months, digital networking has been put to the test as the most important pillar of society and working life. It is often forgotten that not every chic app, every portal and digital trend is trustworthy. For security reasons the annual DeepSec and DeepINTEL conferences will run as a hybrid event. Virtual lectures and face-to-face presentations will be equally accessible to all participants and speakers. Digital protection has never been more important Digitization is quickly pronounced. Software is even faster labelled as secure. Unfortunately, the last few decades of security research have shown that weak points can only be reduced through consistent secure design

Read More

DeepSec2020 talk: Ransomware: Trends, Analysis and Solutions – Josh Pyorre

Sanna/ October 9, 2020/ Conference

My talk on ransomware will be technical, but also tells the story of how it’s evolved, highlighting specific and interesting infections. I’ll walk through the history of ransomware, its relationship to cryptojacking, and the supporting software made up of malspam and exploit kits. We’ll also address the recent phase of ransomware data extortion. There will be demonstrations of current malware infections as well as unique methods and ideas for detection and hunting. We’ll end with multiple methods of prevention and mitigation, some using paid products, but with the focus primarily on opensource options. Since I work with approximately 15% of the internets DNS traffic in my job, I will be using some of that data to show statistics. Despite that, I’ve done my best to make sure this is not a talk about products from my company, and aim

Read More

DeepSec 2020 Talk: Scaling A Bug Bounty Program – Catalin Curelaru

Sanna/ October 8, 2020/ Conference

Hacking, hackers and bug bounties are really getting constant headlines into the mainstream news. In the past few years we have seen an impressive growth in Bug Bounty Programs and at this point we really need to ask: Is a Bug Bounty Program a new layer to secure applications? Implementing a Bug Bounty Program can be challenging and requires some understanding of the nuances of how to make it successful or not. Actually, running a successful bug bounty program starts far before it is launched officially. What are the prerequisites and why can we consider a bug bounty program as a layer for your Application Security Program? How do you measure if you are successful or not and what are the KPIs? When are you ready to start such a program? Based on the

Read More